Hardening Windows 2000/XP

Abstract

This is a set of security settings which I believe significantly strengthen the security of Windows 2000/XP.

Audience

This document is aimed at a user with the following (approximate) Windows setup:

Settings

The following list is sorted in order of importance:

  1. Apply all WindowsUpdate patches
    You should strive to keep your system up-to-date at least on a weekly basis. Of particular importance are the patches for Named Pipes and Net DDE since they have trivial exploits.
  2. Use NTFS instead of FAT or FAT32
    NTFS provides permissions for files and directories, encrypted files, compressed files and many other useful features. It is essential for protecting your personal files from the files belonging to another user, as well as for protecting system files from being tampered with or deleted.
  3. Use strong passwords
    If someone compromises your local Administrator account (via another local account or over the network), they have complete control over the machine. Create and use a strong password or passphrase (Diceware). Do not share this password or passphrase with anyone and do not write it down.
  4. Login as member of a less privileged group
    Rather than logging into the machine as Administrator (or a user who is a member of the Administrators group), create a separate user which is a member of the Power Users or Users group. If your account is compromised (by a virus, for example), the extent of the damage you can do on the machine is limited to your own files. For day-to-day use, the Power Users group allows you to do about 80% of the same tasks as the Administrators group. If you must run software that requires Administrator privileges, use the "runas" command, or Shift + click on a shortcut and select "Run as..." from the menu. This allows you to run more than 95% of the software you would need.
  5. Setup Internet Explorer Security Zones
    Display the "My Computer" security zone in the "Internet Options" Control Panel applet by changing HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\Flags to "1".
    Note that ActiveX controls are disabled in the Internet zone. Although this might seem limiting, it is necessary due to the significant number of ActiveX control vulnerabilities discovered recently. It is unwise to have ActiveX controls enabled while casually browsing the web! If you must use a site that requires ActiveX controls (such as WindowsUpdate), add it to Trusted sites security zone.
    # Description Internet Local intranet Trusted sites Restricted sites My Computer
    1 Download signed ActiveX controls Disabled Prompt Prompt Disabled Prompt
    2 Download unsigned ActiveX controls Disabled Disabled Disabled Disabled Disabled
    3 Initialize and script ActiveX controls not marked as safe Disabled Disabled Disabled Disabled Disabled
    4 Run ActiveX controls and plug-ins Disabled Prompt Enabled Disabled Enabled
    5 Script ActiveX controls marked as safe for scripting Disabled Prompt Enabled Disabled Enabled
    6 File Download Enabled Enabled Enabled Disabled Enabled
    7 Font download Prompt Prompt Prompt Disabled Prompt
    8 Java permissions High High High Disabled Medium
    9 Access data sources across domains Disabled Prompt Prompt Disabled Prompt
    10 Allow META REFRESH Enabled Enabled Enabled Disabled Enabled
    11 Display mixed content Prompt Prompt Prompt Prompt Prompt
    12 Don't prompt for client certificate selection when no certificates or only one certificate exists Disabled Disabled Disabled Disabled Disabled
    13 Drag and drop or copy and paste of files Prompt Prompt Prompt Prompt Enabled
    14 Installation of desktop items Prompt Prompt Prompt Disabled Prompt
    15 Launching programs and files in an IFRAME Prompt Prompt Prompt Disabled Prompt
    16 Navigate sub-frames across different domains Prompt Prompt Prompt Disabled Enabled
    17 Software channel permissions High High High High High
    18 Submit non-encrypted form data Enabled Enabled Enabled Prompt Enabled
    19 Userdata persistence Disabled Disabled Disabled Disabled Disabled
    20 Active scripting Enabled Enabled Enabled Disabled Enabled
    21 Allow paste operations via script Prompt Prompt Prompt Disabled Prompt
    22 Scripting of Java applets Prompt Prompt Prompt Disabled Prompt
    23 Logon Prompt Prompt Prompt Prompt Automatic
  6. Setup e-mail clients to use the Restricted sites security zone (if applicable)
    This setting makes Outlook Express (and Outlook?) rendered HTML e-mail without executing embedded code (such ActiveX, JavaScript or Java.) This virtually eliminates the threat from attacks via rogue HTML e-mail messages. In Outlook Express, you can change this setting by going to Tools->Options->Security.
  7. Stop and set to manual the following services
  8. Turn off the LM password hash storage
    Windows passwords are stored locally using two forms of encryption: LM (weak) and NTLM (secure.) Disable the LM storage to avoid off-line attacks. Don't forget to change your password(s) afterwards (first change them to some random string, like "abc123", then change them back to their previous value) in order to completely erase the LM hashes from the machine!
  9. Change Local Security Policy
    Apply the following settings via the Local Security Policy applet:  
  10. Turn off NetBIOS
    NetBIOS is an antique protocol, with numerous security vulnerabilities. Turn it off by displaying the Properties for your "Internet Protocol (TCP/IP)" connection, then going to Advanced->WINS->Disable NetBIOS over TCP/IP.
  11. Setup firewall to monitor UDP/TCP activity
    If you've done everything described above (and you have File and Printer Sharing for Microsoft Networks enabled), there are only two open ports on your computer (which could theoretically be compromised): port 135 UDP/TCP (RPC/DCE Endpoint mapper) and port 445 TCP (SMB/CIFS over TCP a.k.a. File and Printer Sharing). You cannot disable the RPC/DCE service (since it would render the machine unbootable!), but you can block any incoming and outgoing traffic to it without any side effects. You can limit access to port 445 only to hosts located on your LAN (in order to avoid external attacks while still allowing file and printer sharing on the LAN.) I have been using Tiny Personal Firewall 2.0 (freeware) with great success.
  12. Enable SysKey level 2 (optional)
    Ignore this if you do not use EFS (Encrypted File System).
    If someone gains physical access to your machine, they can boot it up in another operating system (Linux), change your passwords and login to the machine as you. This would negate all security settings above, including the use of EFS (Encrypted File System.) In order to safeguard your machine against physical attacks, run "syskey" from the command prompt, and set it to use a "Startup Password." This makes it so that you have to type a password before the machine can boot into Windows, but provides immunity to files encrypted via EFS.

As a last step after all this, install and run the Microsoft Baseline Security Analyzer and take note of its results.


Home
Last modified: October 3, 2002
Copyright 2002 Razvan Surdulescu
All Rights Reserved